#!/bin/sh
# 为dmz服务器创建一个地址集。 使用/31掩码
ovn-nbctl create Address_Set name=dmz addresses=\"172.16.255.130/31\"
 
# 允许源IP为dmz地址集内的IP地址，且目标端口为3306
ovn-nbctl acl-add inside to-lport 1000 'outport == "inside-vm3" && ip4.src == $dmz && tcp.dst == 3306' allow-related
ovn-nbctl acl-add inside to-lport 1000 'outport == "inside-vm4" && ip4.src == $dmz && tcp.dst == 3306' allow-related
 
# 添加默认ACL策略（对不匹配任何转发规则的流量进行丢弃）
ovn-nbctl acl-add inside to-lport 900 "outport == \"inside-vm3\" && ip" drop
ovn-nbctl acl-add inside to-lport 900 "outport == \"inside-vm4\" && ip" drop
